Uber to dole out $148m settlement among US states over breach it paid $100k to bury

Nice. Ride-hailing app firm also vows to comply with law

Uber will pay $148m to US state authorities in a settlement for the 2016 data breach that saw hackers steal information on 57 million people.

The firm covered up the hack – which exposed names, email addresses and phone numbers of drivers and customers – for almost a year. It also attempted to bribe the thieves, offering them $100,000 disguised as a bug bounty to keep quiet.

However, under the new leadership of Dara Khosrowshahi, the firm 'fessed up in November 2017, and was promptly bombarded with various lawsuits and investigations.

It has now agreed a settlement with the 50 US states and the District of Columbia for $148m – the largest such penalty handed out by multiple states.

The penalty is not being divided equally across the states – for instance, Rhode Island will get $800,000, Arizona, $2.7m, New York, $5.1m, and California, which helped strike the deal, will get $26m.

"Uber's decision to cover up this breach was a blatant violation of the public's trust," said Californian attorney general Xavier Becerra yesterday evening (UK time).

"Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law. Companies in California and throughout the nation are entrusted with customers' valuable private information. This settlement broadcasts to all of them that we will hold them accountable to protect their data."

The settlement also requires Uber to take certain actions, including the rather obvious condition that it complies with state laws on safeguarding of personal information.

Another doozy is the requirement for "strong password policies" for employees accessing the Uber network.

Other demands made of Uber include it agreeing to have an external audit of its data security efforts on a regular basis and to report any data security incidents to the states on a quarterly basis for two years.

Further requirements are to develop corporate integrity and infosec programmes and commit to increased transparency on data security and privacy – all of which Uber has insisted it has been doing since the breach was made public.

"The commitments we're making in this agreement are in line with our focus on both physical and digital safety for our customers," said chief legal officer Tony West, pointing to recent announcements on safety and new hires in the security team. ®